Find sigma rule

Attack: Event Triggered Execution: Netsh Helper DLL

Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility.(Citation: TechNet Netsh) The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at HKLM\SOFTWARE\Microsoft\Netsh.

Adversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code in a persistent manner. This execution would take place anytime netsh.exe is executed, which could happen automatically, with another persistence technique, or if other software (ex: VPN) is present on the system that executes netsh.exe as part of its normal functionality.(Citation: Github Netsh Helper CS Beacon)(Citation: Demaske Netsh Persistence)

MITRE

Tactic

privilege-escalation
persistence

technique

T1546.007

Test : Netsh Helper DLL Registration

OS

windows

Description:

You can register a “helper dll” with Netsh as a persistance mechanism. The code in the dll is executed every time netsh.exe is called. The NetshHelper.dll provided with the atomic will simply launch notepad when netsh.exe is run.

Blog Sample DLL code

Executor

command_prompt

Sigma Rule

proc_creation_win_netsh_helper_dll_persistence.yml (id: 56321594-9087-49d9-bf10-524fe8479452)

back

sigma_redcanaryco

Knowing which rule should trigger according to the redcannary test